Automate your product security

Exposing security issues and vulnerabilities in connected devices and embedded systems has never been easier. We provide actionable insights that enable your team to take swift action.

The Finite State platform provides security and development teams with:

  • Overall Risk Score
  • Software Bill of Materials (SBOM)
  • Known Vulnerabilities (CVEs)
  • Common Weaknesses (CWEs)
  • Hard Coded Credentials
  • Cryptographic Materials
  • and more.

 

firmware-report

Jump to technical details

Software-Bill-of-Materials-Finite-State

Visibility & Protection

Gain a comprehensive view of device components, security issues, and supply chain risk. You can’t protect what you can’t see. 

security-issue-management

Simplicity & Scalability

Free your processes from costly, slow, and cumbersome manual testing. Whether you have one device or hundreds, simply upload the firmware of all your devices  and our automated platform will do the rest, often in less than one business day.

firmware-report

Confidence in your products

Offer proof of testing and security via robust reporting capabilities, giving your customers and stakeholders peace of mind.

Key Features

Device Composition

  • Software Bill of Materials (SBOM): Full visibility into all software components such as binaries, libraries, open source software (OSS), third-party (3rd) components, embedded software, drivers, etc.
  • Third Party & Open Source Risk: Security risks inherited by your vendors and suppliers, including legal & compliance  risk from unknown, undisclosed, or expired licenses.
  • Weakness & Vulnerability Detection: Insecure configurations, hard coded credentials, cryptographic materials, and other possible sources of weakness

Comprehensive Risk Profile

A unified view of your product and supply chain risks with a risk score that indicates level of urgency

Issue Management

A way to quickly prioritize and manage security issues. Reduce friction between development teams and product security teams by providing remediation guidance with the largest risk reduction ROI.

Compliance Guidance

Critical information necessary to identify compliance gaps and meet key industry standards and regulations

EO 14028
NERC CIP-013
UNECE WP.29
And more

Reporting & Analytics

Share insights and analytics with internal and external stakeholders via our easy and robust reporting function.

Trends
SBOM
Security Posture

Product Benefits

Helpful Resources

Technical Details

What does the Finite State Platform cover?

Overall Risk Score

Finite state computes a composite risk score that is based on the risk subcomponents outlined below.

Software Bill of Materials

The Software Bill of Materials (SBOM) is a comprehensive list of the components found within your device firmware. Firmware is assembled from a combination of open source and proprietary components. Having a robust SBOM is the first step in understanding what’s inside your device.

Known Vulnerabilities
Finite State identifies all known vulnerabilities in device software automatically. Data from vulnerability data sources is automatically deduplicated and presented to users. Finite State also correlates information from our robust vulnerability database about the risk of the vulnerability with known exploit data, allowing users to understand how these vulnerabilities are being used by real-world malicious actors.
Common Weaknesses

Common Weakness Enumerations (CWEs) are software and hardware vulnerabilities that serve as a baseline for weakness identification, mitigation, and prevention efforts within connected devices.

Hard Coded Credentials
Automated analysis capabilities locate, extract, and attempt to recover plaintext credentials for all accounts on the system. Having a full accounting of the credentials in firmware often leads to the discovery of potential backdoors that increase the risk to the network.
Cryptographic Materials

The presence of materials such as private keys and authorized key files can indicate backdoors allowing unintended access to the device.

Safety Features
Most modern software compilers have safety features that are used to prevent common exploit methods. These features are turned on by default—so when we see that these are not enabled on binaries, we can assume that someone has actively turned these features off. That may have been done maliciously, or it may have been done to make the existing code work. We cannot determine intent; however, we can see if these compiler level protections are turned on consistently to protect against malicious attacks.
Code Complexity
Code complexity can help analysts understand the risk profile and stability estimations of any unit of code. This particular metric effectively looks at the number of different decisions that can be made in a unit of code. When this score is higher, there are more logical paths to follow, which means there is a higher level of difficulty to adequately test the software. Software that is more difficult to test has been shown in many studies to have a higher risk of defects, which correlates with security vulnerabilities.
Unsafe Function Calls

In programming languages like C, there are a series of legacy functions like strcpy that are considered unsafe and have secure variants like strncpy. Unsafe function calls expose the binary to risk of buffer overflow, format string, and other types of attacks.

Back to top
Ready to take action?

Take control of your product security.